there's a kernel bug related to reading the last allowed page on x86_64.

The _copy_to_user() and _copy_from_user() functions use the followingcheck for address limit:

if (buf + size >= limit) fail();

while it should be more permissive:

if (buf + size > limit) fail();

That's because the size represents the number of bytes beingread/write from/to buf address AND including the buf address.So the copy function will actually never touch the limitaddress even if "buf + size == limit".

Following program fails to use the last page as bufferdue to the wrong limit check:

The other place checking the addr limit is the access_ok() function,which is working properly. There's just a misleading commentfor the __range_not_ok() macro - which this patch fixes as well.

The last page of the user-space address range is a guard page andBrian Gerst observed that the guard page itself due to an erratum on K8 cpus(#121 Sequential Execution Across Non-Canonical Boundary Causes ProcessorHang).

However, the test code is using the last valid page before the guard page.The bug is that the last byte before the guard page can't be readbecause of the off-by-one error. The guard page is left in place.

This bug would normally not show up because the last page ispart of the process stack and never accessed via syscalls.